[GH-ISSUE #2030] Panic: "bad character in CAA issuer value" #854

New issue

Closed

opened 2026-03-16 00:35:58 +03:00 by kerem · 3 comments

kerem commented

2026-03-16 00:35:58 +03:00

Owner

Originally created by @oherrala on GitHub (Sep 20, 2023).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2030

Running cargo-fuzz in this repo with #2025 PR included there's a crash:

% cargo +nightly fuzz run message

Message { header: Header { id: 12594, message_type: Response, op_code: Query, authoritative: false, truncation: false, recursion_desired: true, recursion_available: false, authentic_data: tr
ue, checking_disabled: false, response_code: Refused, query_count: 0, answer_count: 0, name_server_count: 0, additional_count: 1 }, queries: [], answers: [], name_servers: [], additionals: [
Record { name_labels: Name("."), rr_type: CAA, dns_class: IN, ttl: 3221225472, rdata: Some(CAA(CAA { issuer_critical: false, tag: Issue, value: Issuer(Some(Name("n.t")), [KeyValue { key: "po
", value: "lieyÿÿÿÿÿÿÿÿÿÿcvÀ" }]) })) }], signature: [], edns: None }                                                                                                                         
thread '<unnamed>' panicked at fuzz_targets/message.rs:29:17:                                                                                                                                 
Message failed to deserialize: ProtoError { kind: Msg("bad character in CAA issuer value: '\u{80}'") }

The payload:

Output of `std::fmt::Debug`:

        [49, 50, 129, 101, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 1, 192, 0, 0, 0, 0, 32, 0, 5, 105, 115, 115, 117, 101, 110, 46, 116, 59, 32, 112, 111, 61, 108, 105, 101, 121, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 99, 118, 192]

% hexyl --color never fuzz/artifacts/message/crash-84dfeabab146929ed1b7509e12f55e0dce79ba92
┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
│00000000│ 31 32 81 65 00 00 00 00 ┊ 00 00 00 01 00 01 01 00 │12×e⋄⋄⋄⋄┊⋄⋄⋄•⋄••⋄│
│00000010│ 01 c0 00 00 00 00 20 00 ┊ 05 69 73 73 75 65 6e 2e │•×⋄⋄⋄⋄ ⋄┊•issuen.│
│00000020│ 74 3b 20 70 6f 3d 6c 69 ┊ 65 79 ff ff ff ff ff ff │t; po=li┊ey××××××│
│00000030│ ff ff ff ff 63 76 c0    ┊                         │××××cv× ┊        │
└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘

Originally created by @oherrala on GitHub (Sep 20, 2023). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2030 Running cargo-fuzz in this repo with #2025 PR included there's a crash: ```console % cargo +nightly fuzz run message Message { header: Header { id: 12594, message_type: Response, op_code: Query, authoritative: false, truncation: false, recursion_desired: true, recursion_available: false, authentic_data: tr ue, checking_disabled: false, response_code: Refused, query_count: 0, answer_count: 0, name_server_count: 0, additional_count: 1 }, queries: [], answers: [], name_servers: [], additionals: [ Record { name_labels: Name("."), rr_type: CAA, dns_class: IN, ttl: 3221225472, rdata: Some(CAA(CAA { issuer_critical: false, tag: Issue, value: Issuer(Some(Name("n.t")), [KeyValue { key: "po ", value: "lieyÿÿÿÿÿÿÿÿÿÿcvÀ" }]) })) }], signature: [], edns: None } thread '<unnamed>' panicked at fuzz_targets/message.rs:29:17: Message failed to deserialize: ProtoError { kind: Msg("bad character in CAA issuer value: '\u{80}'") } ``` The payload: ``` Output of `std::fmt::Debug`: [49, 50, 129, 101, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 1, 192, 0, 0, 0, 0, 32, 0, 5, 105, 115, 115, 117, 101, 110, 46, 116, 59, 32, 112, 111, 61, 108, 105, 101, 121, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 99, 118, 192] ``` ``` % hexyl --color never fuzz/artifacts/message/crash-84dfeabab146929ed1b7509e12f55e0dce79ba92 ┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐ │00000000│ 31 32 81 65 00 00 00 00 ┊ 00 00 00 01 00 01 01 00 │12×e⋄⋄⋄⋄┊⋄⋄⋄•⋄••⋄│ │00000010│ 01 c0 00 00 00 00 20 00 ┊ 05 69 73 73 75 65 6e 2e │•×⋄⋄⋄⋄ ⋄┊•issuen.│ │00000020│ 74 3b 20 70 6f 3d 6c 69 ┊ 65 79 ff ff ff ff ff ff │t; po=li┊ey××××××│ │00000030│ ff ff ff ff 63 76 c0 ┊ │××××cv× ┊ │ └────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘ ```

kerem closed this issue

2026-03-16 00:36:03 +03:00

kerem commented

2026-03-16 00:36:09 +03:00

Author

Owner

@bluejekyll commented on GitHub (Sep 20, 2023):

I really need to come up with an easier way for us to import fuzz crash reports into the project. On this one, it looks like this might be a test failure? The data appears to fail deserialization due to valid errors in the stream. I thought the fuzzing impl dealt with that. I'll have to take a look.

@bluejekyll commented on GitHub (Sep 20, 2023): I really need to come up with an easier way for us to import fuzz crash reports into the project. On this one, it looks like this might be a test failure? The data appears to fail deserialization due to valid errors in the stream. I thought the fuzzing impl dealt with that. I'll have to take a look.

kerem commented

2026-03-16 00:36:14 +03:00

Author

Owner

@bluejekyll commented on GitHub (Sep 20, 2023):

Ah, I see, this appears to be a round-tripping issue. I wonder if that's ultimately important or not for us... I'm not sure it's catching what we are most concerned with fuzz, which is bad data coming in off the wire and crashing the deserialization or causing issues at that time. The fuzz target seems to trip up on this round-trip logic often, and I'm not sure if it's an important detail. That is, this is bad data, it shouldn't be valid to construct it...

@bluejekyll commented on GitHub (Sep 20, 2023): Ah, I see, this appears to be a round-tripping issue. I wonder if that's ultimately important or not for us... I'm not sure it's catching what we are most concerned with fuzz, which is bad data coming in off the wire and crashing the deserialization or causing issues at that time. The fuzz target seems to trip up on this round-trip logic often, and I'm not sure if it's an important detail. That is, this is bad data, it shouldn't be valid to construct it...

kerem commented

2026-03-16 00:36:19 +03:00

Author

Owner

@divergentdave commented on GitHub (Apr 1, 2025):

This was fixed in #2373.

@divergentdave commented on GitHub (Apr 1, 2025): This was fixed in #2373.